[Snort-users] SSL worm sigs
bmc at ...950...
Sun Sep 15 18:23:02 EDT 2002
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"EXPERIMENTAL WEB-MISC bad HTTP/1.1 request, potentual worm attack"; flow:to_server,established; content:"GET / HTTP/1.1|0a 0d 0a 0d|"; offset:0; depth:18; reference:url,securityresponse.symantec.com/avcenter/security/Content/2002.09.13.html; classtype:web-application-activity; sid:1881; rev:1;)
As I no longer have an attack lab, I havn't been able to play with the new
worm that attacks apache-ssl. However, I have written a sig that looks for
the precurser that the worm sends.
The worm sends "GET / HTTP/1.1\r\n\r\n" to port 80. This is not a valid
HTTP 1.1 request. This will catch a bunch of lame CGI scanners, and won't
catch people using the actual exploit, it should catch the worm probing
Please test and let me know how the sig works out. When I get back to work
tommorow, I will test a bit more, then commit it to the tree for all to
grab with the snapshots.
More information about the Snort-users